Add SA to each namespace for running cron jobs #7032
Conversation
|
Hi @brianwcook. Thanks for your PR. I'm waiting for a redhat-appstudio member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
with this permission users can change the snapshot content. are we ok with it? |
|
Users (maintainers and admins) can already change snapshot content. This gives us a service account that can do it so that we can run ITS jobs with cron. |
|
Users cannot change Snapshots. If they want to change the content, they need to create a new one. The intention for Snapshots is to have some immutable reference which can be used for testing and releasing. If we expose the ability to modify them (even accidentally), we introduce the possibility for inconsistencies. Why do we need to mutate the snapshots? |
|
but the ClusterRole for admins has: @gbenhaim , how do we protect against changing Snapshots today? |
|
the issue is that we need to be able to add a label to an existing snapshot as described here in order to kick off the ITS. I am following the instructions given on creating an SA and what permissions to assign to it. I think that if we are worried about this PR, then we should also be worried about the advice given in those docs. |
|
This also appears to be consistent with https://github.com/konflux-ci/architecture/blob/main/ADR/0011-roles-and-permissions.md. It seems like we might need additional protections in place to protect against mutating the components. |
|
@gbenhaim we decided to add a new webhook to make snapshot components immutable. |
| matchLabels: | ||
| konflux-ci.dev/type: tenant | ||
| generate: | ||
| kind: Role |
There was a problem hiding this comment.
I think it would be better to create a single cluster role in this application https://github.com/redhat-appstudio/infra-deployments/tree/main/components/konflux-rbac that will be referenced by the role in each tenant namespace.
Also, the group name in apiGroups should be changed
There was a problem hiding this comment.
ok, I made those changes and rebase. Also, the validating webhook to block mutation of snapshots has been merged.
This PR supports adding a UI for https://konflux-ci.dev/docs/testing/integration/periodic-integration-tests/ In order for the UI to work an SA with correct permissions to mutate snapshots must exist in the namespace with a predictable name. Signed-off-by: Brian Cook <[email protected]>
brianwcook
force-pushed
the
add-konflux-cron-sa
branch
from
d0ff364 to
1b1cf87
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: brianwcook The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Can this proceed now? |
| - name: generate-serviceaccount | ||
| match: | ||
| any: | ||
| - resources: | ||
| kinds: | ||
| - Namespace | ||
| selector: | ||
| matchLabels: | ||
| konflux-ci.dev/type: tenant | ||
| generate: | ||
| kind: ServiceAccount | ||
| apiVersion: v1 | ||
| name: konflux-cron-sa | ||
| namespace: '{{request.object.metadata.name}}' | ||
| synchronize: true | ||
| - name: generate-snapshot-rolebinding | ||
| match: |
There was a problem hiding this comment.
the skipBackgroundRequests field needs to be explicitly set otherwise ArgoCD will always consider the ClusterPolicy OutOfSync
| - name: generate-serviceaccount | |
| match: | |
| any: | |
| - resources: | |
| kinds: | |
| - Namespace | |
| selector: | |
| matchLabels: | |
| konflux-ci.dev/type: tenant | |
| generate: | |
| kind: ServiceAccount | |
| apiVersion: v1 | |
| name: konflux-cron-sa | |
| namespace: '{{request.object.metadata.name}}' | |
| synchronize: true | |
| - name: generate-snapshot-rolebinding | |
| match: | |
| - name: generate-serviceaccount | |
| skipBackgroundRequests: true | |
| match: | |
| any: | |
| - resources: | |
| kinds: | |
| - Namespace | |
| selector: | |
| matchLabels: | |
| konflux-ci.dev/type: tenant | |
| generate: | |
| kind: ServiceAccount | |
| apiVersion: v1 | |
| name: konflux-cron-sa | |
| namespace: '{{request.object.metadata.name}}' | |
| synchronize: true | |
| - name: generate-snapshot-rolebinding | |
| skipBackgroundRequests: true | |
| match: |
There was a problem hiding this comment.
#7348 will mitigate this problem though
There was a problem hiding this comment.
we need to add this ClusterPolicy to the kustomization.yaml file, otherwise it won't be deployed.
There was a problem hiding this comment.
we should update the tests to check the resource is correctly created. Something like
| konflux-ci.dev/type: tenant | ||
| generate: |
There was a problem hiding this comment.
for how the ClusterPolicy is now, it will react to any Update events. We are only interested in Update events that add the tenant label. We can restrict this way:
| konflux-ci.dev/type: tenant | |
| generate: | |
| konflux-ci.dev/type: tenant | |
| celPreconditions: | |
| - name: "on update, oldObject had no konflux-ci.dev/type=tenant label" | |
| expression: "request.operation != UPDATE || ! (has(oldObject.metadata.labels) && 'konflux-ci.dev/type' in oldObject.metadata.labels && oldObject.metadata.labels['konflux-ci.dev/type] == 'tenant')" | |
| generate: |
| konflux-ci.dev/type: tenant | ||
| generate: |
There was a problem hiding this comment.
for how the ClusterPolicy is now, it will react to any Update events. We are only interested in Update events that add the tenant label. We can restrict this way:
| konflux-ci.dev/type: tenant | |
| generate: | |
| konflux-ci.dev/type: tenant | |
| celPreconditions: | |
| - name: "on update, oldObject had no konflux-ci.dev/type=tenant label" | |
| expression: "request.operation != UPDATE || ! (has(oldObject.metadata.labels) && 'konflux-ci.dev/type' in oldObject.metadata.labels && oldObject.metadata.labels['konflux-ci.dev/type] == 'tenant')" | |
| generate: |
|
Just checking do you want me to proceed and make the changes for this PR, or would you rather us just use the default SA (assuming it has or can be given the proper privs)? |
This PR supports adding a UI for https://konflux-ci.dev/docs/testing/integration/periodic-integration-tests/ In order for the UI to work an SA with correct permissions to mutate snapshots must exist in the namespace with a predictable name.